Justin Jett, director of audit and compliance for Plixer, discusses the elements of a successful advanced security posture.
Considering recent announcements of major attacks caused by external malicious actors, including a ransomware attack on a U.S. gasoline pipeline, the need for increased security posture is as important as ever, and multilayered security remains the key.
With rampant ransomware attacks and other cybersecurity incidents dominating headlines, organizations and governments paying more attention, and many are willing to spend the money needed to help fix some of the problems that make it easy for these threat actors to successfully infiltrate and compromise a computer system or network. President Joe Biden signed an executive order this week that includes initiatives aimed at improving the nation’s cybersecurity; across the Atlantic, a recent report by the U.K.’s National Cyber Security Centre shows how the U.K. is ramping up its cybersecurity defense measures.
Meanwhile, according to the recently released Cisco Future of Secure Remote Work report, which surveyed more than 3,000 global IT decision-makers across 30 industries, 85 percent of respondents said that cybersecurity has become extremely important since the start of the pandemic. This is largely because organizations had to quickly shift to a majority work-from-home model, which meant shifting policies and security approaches to the new normal.
Multi-Layered Security is Not Outdated
It’s been said over and over again, but it’s worth repeating. Having a multi-layered security approach is the best way to decrease the likelihood of a successful breach or security compromise. And while some layers of security may seem trivial or obvious, they are all equally important.
It’s similar to a water-purification system. Just like a first layer of water purification involves taking out the large and obvious particles, the first layer to cybersecurity may simply be a network firewall blocking the obviously malicious traffic. It would be ridiculous to try reverse osmosis on raw sewage without first cleaning out the obviously toxic content.
With each layer you add to your network, you are likely to eliminate more and more contaminants, i.e., malicious activity. So, adding firewalls, intrusion prevention and detection systems, and malware-fighting antivirus is always a good way to reduce the chance of something getting through.
But sometimes you need further analysis on this data. Just like water, it’s impossible to know if it’s bad without proper analysis.
How to Properly Analyze your Network Traffic
Trying to analyze network traffic in real time can be just as difficult as trying to test all of the water flowing as it exits a firehose. You can do it with an inordinate amount of money, but isn’t scalable. What makes things even more difficult is that malicious actors almost always deploy methods to remain undetected, including using low-and-slow data-transfer methods to slip under the radar.
To combat these methods, network data should be collected and analyzed over a long period of time to determine where malicious traffic is coming from. Specifically, machine learning via network detection and response (NDR) systems should almost always be deployed to aid network and security teams in identifying malicious traffic.
Security for Hybrid Work Models
With many organizations allowing vaccinated workers back into the office and allowing employees to decide when or if to return, the shift to a hybrid security model is almost certain to become permanent. This increases the need for NDR because the security needs of the organization change as employees change where they work. Organizations will find it harder to create blanket rules around network connections when employees are constantly changing IPs or locations.
While some organizations will force employees to connect to the corporate VPN, it’s not always practical to do, especially when home bandwidth capacity is limited. Instead, looking at how traffic flows across the network over time enables security teams to properly detect anomalies.
While employees might be shifting around, the types of connections and data they consume is likely to change just as often. Using NDR-capable systems gives organizations the insight they need to detect when members of their sales’ team start uploading content via an SSH connection or when HR starts making outbound connections over FTP. This is especially true when not all users are connected to the network all the time. Once that connection resumes, having historical data is critical to identify potentially infected devices.
[In a nearby article, you can read more about how NDR systems play a role in resolving problems that humans create.]
People: Weakest Security Link
Unfortunately, people are the weakest link, so the ability to baseline behavior and identify when traffic patterns deviate is a best practice in detecting malicious activities. But by enabling a multi-layer approach with long-term baseline analysis of network traffic, organizations can ensure they have the highest-level security posture even when employees are constantly shifting where they work.
Taking this multi-layer approach is really the only way to safeguard against attacks. While not all attacks can be stopped, the damage they cause can be drastically reduced.
Justin Jett is the director of audit and compliance for Plixer.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.